Closed Bug 1738501 (CVE-2021-43529) Opened 3 years ago Closed 3 years ago

Automatic S/MIME cert import should use additional verification using mozilla::pkix


(MailNews Core :: Security: S/MIME, enhancement, P1)



(thunderbird_esr78 wontfix, thunderbird_esr91+ fixed, thunderbird95 fixed)

96 Branch
Tracking Status
thunderbird_esr78 --- wontfix
thunderbird_esr91 + fixed
thunderbird95 --- fixed


(Reporter: KaiE, Assigned: KaiE)



(Keywords: sec-critical)


(3 files)

When processing incoming S/MIME email that is digitally signed, we:

  • (a) perform a check of the signature, including verification of the signing certificate
  • (b) import the certificates that are found inside the signature, because they might be necessary for verifying the signing certificate, and also for making it possible to use these certificates in the future for encryption

The classic NSS verification is limited in its ability to perform revocation checking, in particular the current configuration used by the Gecko platform has trouble with a proxy configuration.

In addition the S/MIME implementation in NSS is hardcoded to use the classic NSS verification APIs.

Therefore in bug 324474, we had added an additional check at the mail code level. In bug 813418 that code was later upgraded to use the mozilla::pkix for an initial validity check.

However, that additional check is limited to check the signature certificate. Earlier, we perform import of certificates that are bundled with the signature.

This bug suggests that we perform the additional check for all certificates that we are automatically importing, too.

We should expedite adding this check, therefore I'm using a workaround that involves copying some internal NSS code to the Thunderbird code. At a later time, we should clean this up by adding a new API to NSS, that allows the mail code to perform its own additional checks using a callback. (The design of the new API can be discussed at a later time, when we perform the cleanup.)

It was noticed that the mozilla::pkix code doesn't support checking DSA certificates nor RSA-PSS certificates.

This means, because of the existing checks, we never show signatures from such certificates as valid. I couldn't find any bug report in the S/MIME component mentioning the classic DSA algorithm, so apparently nobody has ever complained that DSA cert signatures are always reported in Thunderbird as invalid. And it's already known that RSA-PSS is not yet supported by the Thunderbird S/MIME code (bug 1597202).

Therefore I'm not worried that the suggested change will extend this limitation to the automatic certificate import from incoming email, it seems unlikely that it will have a relevant impact.

Attached patch 1738501-cc.patchSplinter Review

Note the patch in phabricator applies to comm-esr91.

comm-central needs a slightly merged patch, I'm attaching it here.

Looks good to me.

Group: mail-core-security

Comment on attachment 9248548 [details] [diff] [review]

[Triage Comment]
Approved for ers91

Attachment #9248548 - Flags: approval-comm-esr91+

Comment on attachment 9248476 [details]
Bug 1738501 - Add check using mozilla::pkix to some more scenarios. r=mkmelin

[Triage Comment]
Approved for beta

Attachment #9248476 - Flags: approval-comm-beta+

Comment on attachment 9248476 [details]
Bug 1738501 - Add check using mozilla::pkix to some more scenarios. r=mkmelin

[Triage Comment]
This is the c-esr91 version.

Attachment #9248476 - Flags: approval-comm-beta+ → approval-comm-esr91+

Comment on attachment 9248548 [details] [diff] [review]

[Triage Comment]
For c-central and c-beta (95b1)

Attachment #9248548 - Flags: approval-comm-esr91+ → approval-comm-beta+

Pushed by
Add check using mozilla::pkix to some more scenarios. r=mkmelin

Closed: 3 years ago
Resolution: --- → FIXED

Add required symbols for linking.

Attachment #9248766 - Flags: review?(rob)
Pushed by
Follow-up: Fix unresolved NSS symbols on macOS/Windows. r=rjl
Target Milestone: --- → 96 Branch
Attachment #9248766 - Flags: review?(rob) → review+
Pushed by
follow-up - clang-format. rs=clang-format

Assigning CVE-2021-43529. Since this happened to protect Thunderbird users from the worst effects of bug 1737470 it's effectively a security fix.

Alias: CVE-2021-43529
No longer blocks: CVE-2021-43527
Depends on: CVE-2021-43527

Suggested advisory text:

     title:  Memory corruption when processing S/MIME messages
     impact: critical
     reporter: Tavis Ormandy
     description: |
       Thunderbird versions prior to 91.3.0 are vulnerable to the heap
overflow described in CVE-2021-43527 when processing S/MIME messages.
Thunderbird versions 91.3.0 and later will not call the vulnerable code 
when processing S/MIME messages that contain certificates with
DER-encoded DSA or RSA-PSS signatures.
       - url: 1738501
Flags: needinfo?(dveditz)
Keywords: sec-critical

That sounds pretty good.

Flags: needinfo?(dveditz)
See Also: → 1738592
You need to log in before you can comment on or make changes to this bug.